Vulnerability Name:

CVE-2021-23358 (CCN-198958)

Assigned:2021-03-29
Published:2021-03-29
Updated:2021-09-22
Summary:The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
CVSS v3 Severity:7.2 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.8 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-94
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-23358

Source: XF
Type: UNKNOWN
nodejs-cve202123358-code-exec(198958)

Source: MISC
Type: Broken Link
https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71

Source: MLIST
Type: Mailing List, Third Party Advisory
[cordova-issues] 20210414 [GitHub] [cordova-common] breautek commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358

Source: MLIST
Type: Mailing List, Third Party Advisory
[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley edited a comment on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358

Source: MLIST
Type: Mailing List, Third Party Advisory
[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley opened a new issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358

Source: MLIST
Type: Mailing List, Third Party Advisory
[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358

Source: MLIST
Type: Mailing List, Third Party Advisory
[cordova-issues] 20210414 [GitHub] [cordova-common] breautek closed issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210331 [SECURITY] [DLA 2613-1] underscore security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-e49f936d9f

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-f278299902

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503

Source: CCN
Type: SNYK-JS-UNDERSCORE
Arbitrary Code Execution

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984

Source: DEBIAN
Type: Third Party Advisory
DSA-4883

Source: CCN
Type: IBM Security Bulletin 6466599 (Spectrum Protect Plus)
Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6469363 (Spectrum Symphony)
Multiple vulnerabilities in Apache JSON Small and Fast Parser (json-smart) and Underscore affect IBM Spectrum Symphony

Source: CCN
Type: IBM Security Bulletin 6469905 (Cloud Pak for Integration)
IBM Cloud Pak for Integration is vulnerable to underscore vulnerability (CVE-2021-23358)

Source: CCN
Type: IBM Security Bulletin 6470841 (App connect Enterprise)
IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358)

Source: CCN
Type: IBM Security Bulletin 6493267 (Business Automation Workflow)
Multiple vulnerabilities may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) offline documentation

Source: CCN
Type: IBM Security Bulletin 6526538 (Resilient OnPrem)
IBM Security SOAR is using a component with a known vulnerability - Underscore.js (CVE-2021-23358)

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6831813 (Netcool Operations Insight)
Netcool Operations Insight v1.6.6 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6831849 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6857863 (MobileFirst Platform Foundation)
Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6988629 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by multiple vulnerabilities in JQuery, Node.js and Swagger UI

Source: CCN
Type: NPM Web site
underscore

Source: CCN
Type: NPM Web site
underscore

Source: CONFIRM
Type: Third Party Advisory
https://www.tenable.com/security/tns-2021-14

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-23358

Vulnerable Configuration:Configuration 1:
  • cpe:/a:underscorejs:underscore:*:*:*:*:*:node.js:*:* (Version >= 1.3.2 and < 1.12.1)
  • OR cpe:/a:underscorejs:underscore:*:*:*:*:*:node.js:*:* (Version >= 1.13.0-0 and < 1.13.0-2)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:tenable:tenable.sc:*:*:*:*:*:*:*:* (Version <= 5.18.0)

    • Configuration 4:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*
  • AND
  • cpe:/a:ibm:business_process_manager:8.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_symphony:7.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:19.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:19.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:19.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_symphony:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:113036
    P
    		nodejs-underscore-1.13.1-1.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106477
    P
    		nodejs-underscore-1.13.1-1.3 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:111340
    P
    		Security update for nodejs-underscore (Important)
    2021-04-23
    BACK
    underscorejs underscore *
    underscorejs underscore *
    debian debian linux 9.0
    debian debian linux 10.0
    tenable tenable.sc *
    fedoraproject fedora 33
    fedoraproject fedora 34
    nodejs node.js *
    ibm business process manager 8.6
    ibm infosphere information server 11.7
    ibm spectrum protect plus 10.1.0
    ibm business automation workflow 18.0.0.0
    ibm business automation workflow 18.0.0.1
    ibm spectrum symphony 7.2.1
    ibm app connect 11.0.0.0
    ibm business automation workflow 18.0.0.2
    ibm business automation workflow 19.0.0.1
    ibm mobilefirst platform foundation 8.0.0
    ibm business automation workflow 19.0.0.2
    ibm business automation workflow 19.0.0.3
    ibm spectrum symphony 7.3
    ibm business automation workflow 20.0.0.1
    ibm business automation workflow 20.0.0.2
    ibm spectrum protect plus 10.1.8
    ibm business automation workflow 21.0.2
    ibm cloud pak for security 1.7.2.0